Why am I not receiving my real time alerts to list...

monteirolopes · ‎09-23-2016

Hi,

I created an alert to list attempts of brute force attacks.

Something like:

"source="WinEventLog:Security"  EventCode = 4771 |  transaction user, ip  maxpause=10s |  table user, ip, eventcount | WHERE eventcount > 10"

I am running the search in real-time and I can see the results but my alert is not working! The alert is configured in real-time and the trigger's condition is configured per-result, but I still don't receive any e-mail alert.

Best Regards,
Lopes.

inventsekar · ‎09-23-2016

I am running the search in real-time and I can see the results but my alert is not working ///
-are you seeing more than 10 events or less? also,
-can you double check the email notification settings?
---- the alert email is it set for number of results or hosts or ...

monteirolopes · ‎09-26-2016

Hi inventsekar, thanks for your reply.

Yes, I am seeing users that contains more than 10 events. Follow an example of my real-time results:

User IP
John.carl 10.10.10.10
richard-grey 8.8.8.8
PAUL 10.11.11.11

My alert is configured to send mail by result, in this case, for example, I have 3 results, but I am receiving just 1 mail with 1 result, for example, PAUL 10.11.11.11.
What about the other users?

Best regards,
Lopes.

nzou_splunk · ‎10-27-2016

Hi Lopes,
Not sure if you set your mail server settings correctly?
Settings -> server settings -> Email settings

Why am I not receiving my real time alerts to list attempts of brute force attacks?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases